Marinade.Finance is a non-custodial liquid staking protocol built on Solana. Users stake their SOL tokens with Marinade and receive mSOL (“marinated SOL”) tokens in return that can be used in decentralized finance (DeFi). mSOL is the most widely integrated collateralized version of SOL. The price of mSOL goes up relative to SOL each epoch, with rewards being accrued into user’s stake account.
To learn more about Marinade.Finance, read the official documentation here.
About the audit
On September 1, 2021, the Ackee Blockchain security team completed an audit of Marinade.Finance. The files reviewed were: /programs/marinade-finance. The audit was performed with a total time donation of 1 engineering month.
At the beginning of the audit, the following main objectives were defined:
- Check the overall code quality.
- Make sure that nobody unauthorized can withdraw SOL or mSOL from the liquid pool.
- Verify that only Marinade itself can mint tokens.
- Check that only authorized entities can deploy the program to the Solana network.
The security review was performed by manual code review – checking the code line by line for common vulnerabilities or code duplication, and by local deployment and hacking – deploying the program locally, then trying to attack the system and break it.
Using the tools mentioned above led to the following findings:
- L1: Not using a stable toolchain
- L2: Not using a linter tool
- L3: Using the outdated dependencies
- L4: Repository contains deploy keys
- M1: Using deprecated libraries
4 low severity issues and 1 medium severity issue were identified. None of these issues required immediate action.
Based on the audit findings, Ackee Blockchain recommended focusing on the project’s lack of technical leadership with clear rules and guidelines for development, commit messages, log messages, coding style, comments and documentation, peer reviews between developers, and a clear roadmap for features and deployment. All of that should help future auditors or developers better understand the code.
Marinade team was helpful and cooperative throughout the auditing process. All imperfections in the documentation and the commit culture were resolved quickly.
We were delighted to audit Marinade.Finance and look forward to working with them again.
The full Ackee Blockchain audit report of Marinade.Finance with a more detailed description of all findings and recommendations can be found here.